Azure ATP remote calls to SAM blocked RDS connection

%3CLINGO-SUB%20id%3D%22lingo-sub-1086141%22%20slang%3D%22en-US%22%3EAzure%20ATP%20remote%20calls%20to%20SAM%20blocked%20RDS%20connection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086141%22%20slang%3D%22en-US%22%3E%3CP%3EI%20recently%20deployed%20Azure%20ATP%20to%20a%20enveriement%20running%20Windows%202012%20R2%20and%20older%20machines.%20During%20the%20configuration%20Azure%20ATP%20service%20account%20was%20added%20to%26nbsp%3B%3CSTRONG%3ENetwork%20access%20-%20Restrict%20clients%20allowed%20to%20make%20remote%20calls%20to%20SAM%26nbsp%3B%3C%2FSTRONG%3Eand%20pushed%20out%20to%20all%20machines%20via%26nbsp%3Bdefault%20domain%20policy%20as%20required%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Finstall-atp-step8-samr%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Elateral%20movement%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bdetection%3C%2FSPAN%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShortly%20after%20this%20change%20users%20were%20denied%20access%20through%20RDS%2C%20domain%20admins%20were%20still%20able%20to%20use%20RDS.%20As%20a%20workaround%20selected%20users%20were%20added%20to%20the%26nbsp%3B%3CSTRONG%3ENetwork%20access%20-%20Restrict%20clients%20allowed%20to%20make%20remote%20calls%20to%20SAM%26nbsp%3B%3C%2FSTRONG%3Epolicy%20to%20restore%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20done%20some%20research%20and%20did%20not%20come%20across%20any%20article%20around%20configuration%20conflicts%20between%20the%20remote%20calls%20to%20SAM%20policy%20and%20RDS%20service.%20One%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fremote%2Fremote-desktop-services%2Ftroubleshoot%2Fcannot-authenticate-or-must-authenticate-twice%23access-denied-a-remote-call-to-the-sam-database-has-been-denied%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Earticle%3C%2FA%3E%20I%20was%20able%20to%20find%20talks%20about%20changes%20to%20RDS%20in%26nbsp%3B%3CSPAN%3EWindows%20Server%202016%2C%20where%20RCM%20no%20longer%20queries%20the%20user's%20object%20in%20AD%20DS%20which%20may%20or%20may%20not%20be%20related.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHad%20anyone%20came%20across%20this%20issue%3F%20Anyone%20have%20a%20better%20understanding%20of%20RDS%2C%20how%20SAM-RPC%20is%20used%2C%20and%20what%20the%20recommended%20configuration%20is.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1091846%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20remote%20calls%20to%20SAM%20blocked%20RDS%20connection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1091846%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370232%22%20target%3D%22_blank%22%3E%40ehloworldio%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%2C%20yes%2C%20this%20particular%20GPO%20setting%20needs%20to%20be%20tested%20first%20before%20configuring%20it%20and%20we%20do%20mention%20it%20in%20our%20docs%20as%20it%20might%20need%20special%20configurations%20for%20applications%20such%20as%20RDS%20or%20Citrix%20for%20that%20matter%3C%2FP%3E%0A%3CP%3ESee%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-access-restrict-clients-allowed-to-make-remote-sam-calls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-access-restrict-clients-allowed-to-make-remote-sam-calls%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1095194%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20remote%20calls%20to%20SAM%20blocked%20RDS%20connection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1095194%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3BThank%20you%20for%20your%20reply.%20I%20am%20aware%20of%20this%20article%20and%20the%20audit%20mode%2C%20however%20neither%20this%20or%20any%20other%20I've%20read%20had%20any%20direct%20mention%20of%20RDS%20incompatibility%20with%20this%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESeeing%20how%20RDS%20is%20a%20Microsoft%20product%20are%20there%20any%20article%20with%20recommended%2Fbest%20practice%20configuration%20to%20work%20with%20this%20policy%2C%20where%20we%20would%20not%20need%20to%20add%20all%20users%20to%20this%20policy%20to%20keep%20RDS%20working.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096305%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20remote%20calls%20to%20SAM%20blocked%20RDS%20connection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096305%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370232%22%20target%3D%22_blank%22%3E%40ehloworldio%3C%2FA%3E%26nbsp%3BI%20understand%20what%20you%20mean%3C%2FP%3E%0A%3CP%3EYou%20can%20see%20other%20products%20such%20as%20exchange%20publish%20support%20documentation%20regarding%20this%20group%20policy%20for%20example%20(%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4055652%2Faccess-checks-fail-because-of-authz-access-denied-error-in-windows-ser%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4055652%2Faccess-checks-fail-because-of-authz-access-denied-error-in-windows-ser%3C%2FA%3E)%2C%20while%20this%20doesn't%20answer%20your%20question%2C%20i%20hope%20that%20it%20at%20least%20make%20it%20a%20bit%20more%20clear%20to%20why%20there%20are%20caveats%20with%20this%20policy.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I recently deployed Azure ATP to a enveriement running Windows 2012 R2 and older machines. During the configuration Azure ATP service account was added to Network access - Restrict clients allowed to make remote calls to SAM and pushed out to all machines via default domain policy as required for lateral movement detection.

 

Shortly after this change users were denied access through RDS, domain admins were still able to use RDS. As a workaround selected users were added to the Network access - Restrict clients allowed to make remote calls to SAM policy to restore service.

 

I've done some research and did not come across any article around configuration conflicts between the remote calls to SAM policy and RDS service. One article I was able to find talks about changes to RDS in Windows Server 2016, where RCM no longer queries the user's object in AD DS which may or may not be related.

 

Had anyone came across this issue? Anyone have a better understanding of RDS, how SAM-RPC is used, and what the recommended configuration is.

 

3 Replies
Highlighted

@ehloworldio 

Hi, yes, this particular GPO setting needs to be tested first before configuring it and we do mention it in our docs as it might need special configurations for applications such as RDS or Citrix for that matter

See: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network...

 

 

Highlighted

@Or Tsemah Thank you for your reply. I am aware of this article and the audit mode, however neither this or any other I've read had any direct mention of RDS incompatibility with this policy.

 

Seeing how RDS is a Microsoft product are there any article with recommended/best practice configuration to work with this policy, where we would not need to add all users to this policy to keep RDS working.

Highlighted

@ehloworldio I understand what you mean

You can see other products such as exchange publish support documentation regarding this group policy for example (https://support.microsoft.com/en-us/help/4055652/access-checks-fail-because-of-authz-access-denied-e...), while this doesn't answer your question, i hope that it at least make it a bit more clear to why there are caveats with this policy.